Antivirus XP 2008 causinf problems. Please help.

Status
Not open for further replies.
F

Fidos

New member
I'm currently using Windows 2000 Professional. Antivirus XP 2008 is on my computer and i cant get rid of it. There's a box in the middle of the screen saying: Warning! spyware detected on your computer! Install and antivirus or spyware remover to clean your computer.

I followed the instructions on the BEFORE you POST thread, but i even after multiple attempts to remove the problems in red theres always 2 that cant get removed.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:50 PM, on 8/22/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\System32\lphc57dj0et2g.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F3 - REG:win.ini: load=C:\WINNT\System32\rhdxqvesf\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\System32\rhdxqvesf\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINNT\System32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [blah service] x[X]x.exe
O4 - HKLM\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lphc57dj0et2g] C:\WINNT\System32\lphc57dj0et2g.exe
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINNT\System32\sysrest32.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [blah service] x[X]x.exe
O4 - HKLM\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 8517 bytes

Thanks for the help.
 
Hello Fidos

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

I have to tell ya , I have been at this for almost 7 years and this is one of the most heavily infected computers that I have ever seen. Anti Virus XP is just the tip of the iceburg, you have a rootkit infection that can leave your system compromised which means even if we try to clean all the infections off this system I would be leary about doing any online transactions. You also have many other malware infections. My best advice is to reformat and do a clean install of windows, windows 2000 is a bit dated anyway, I would upgrade to XP. If you want to proceed with the cleaning, I can't guarantee that we can get it all but we can try. Let me know what you want to do.
 
Sure, let's proceed with the cleaning and i might reformat if it doesn't work. Thank you for the help.
 
Good Morning Fidos,

Lets get started. As to not overwhelm you we will run a program, post the report along with a new HJT log so we can see where we're at before we proceed running another tool.


Do this first...Important


Disable the TeaTimer, leave it disabled until we're done,
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.<--You need to do this for it to take effect





You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
FixWareout Subratam
FixWareout Lonny
  • Save it to your desktop and run it.
  • Click Next, then Install,
  • Then make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • At the end of the fix, you may need to restart your computer again.
Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.



Now lets check some settings on your system. For (2000/XP) Only)

  • Go to Start > control panel.
  • If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
  • Then right click on your default connection, usually local area connection for cable and dsl.
  • Left click on properties.
  • Click the Networking tab.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
  • Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be available on some systems



  • Next Go start> Run type cmd and hit OK
  • Type in ipconfig /flushdns then hit enter
    (that space between g and / is needed)
  • Type exit hit enter



Let me see the Wareout Report and a new HJT log please
 
here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:42 AM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F3 - REG:win.ini: load=C:\WINNT\System32\rhdxqvesf\csrss.exe
F3 - REG:win.ini: run=C:\WINNT\System32\rhdxqvesf\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINNT\System32\msxml71.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [blah service] x[X]x.exe
O4 - HKLM\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lphc57dj0et2g] C:\WINNT\System32\lphc57dj0et2g.exe
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [blah service] x[X]x.exe
O4 - HKLM\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 8339 bytes

and heres the fixwareout report:

Username "Lee" - 08/25/2008 11:08:31 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"Micr Update"="soundblaster.exe"
"Microsoft MCT64 Center"="nmc32.exe"
"M_S DVD DirectX Dll Drivers"="msxdl.exe"
"Netbios Helper"="C:\\WINNT\\System32\\nbthlp.exe"
"Sygate Personal Firewall Start"="servic.exe"
"blah service"="x[X]x.exe"
"Windows Logon Service"="winlogon.pif"
"MS Windows Security Updater"="updater.pif"
"Windows Update Service"="update32.pif"
"progmen"="abrek.exe"
"wormexe"="iehelper.exe"
"Dest068"="sysconf16.exe"
"startman"="StatusCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"EPSON Stylus CX4200 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE /P26 \"EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"lphc57dj0et2g"="C:\\WINNT\\System32\\lphc57dj0et2g.exe"
"SMrhc17dj0et2g"="C:\\Program Files\\rhc17dj0et2g\\rhc17dj0et2g.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Micr Update"="soundblaster.exe"
"Microsoft MCT64 Center"="nmc32.exe"
"Microsoft MicroP Protocol"="wdgmr32.exe"
"Windows SRM32 Pass"="srm32.exe"
"Spyware Vanisher"="c:\\spywarevanisher-free\\FreeScanner.exe -FastScan"
"M_S DVD DirectX Dll Drivers"="msxdl.exe"
"Windows Logon Service"="winlogon.pif"
"porka_"="progmen.exe"
"MONITER"="hyandex.exe"
"lpt"="MONITER.exe"
"teqq32"="srbho.exe"
"BoundRec"="iesetupdll.exe"
"Steam"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINNT\System32\AUTOEXEC.NT missing
~~~~~ End report ~~~~~
 
Still more to do


This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
Click to expand...

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Sorry this morning's reply took so long. I was kind of busy.

Here's the report from SDFix:


SDFix: Version 1.219
Run by Lee on Mon 08/25/2008 at 3:52p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Name :
Hpdriver
sysrest.sys

Path :
\??\C:\WINNT\system32\hpdriver.sys
\??\C:\WINNT\System32\sysrest.sys

Hpdriver - Deleted
sysrest.sys - Deleted


AUTOEXEC.NT Restored from backups

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\lphc57dj0et2g.exe - Deleted
C:\WINNT\system32\phc57dj0et2g.bmp - Deleted
C:\WINNT\SYSTEM32\SETUP_~3.EXE - Deleted
C:\WINNT\SYSTEM32\SETUP_~4.EXE - Deleted
C:\WINNT\system32\djqkib\csrss.ini - Deleted
C:\WINNT\system32\emswynff\csrss.ini - Deleted
C:\WINNT\system32\hcydcb\csrss.ini - Deleted
C:\WINNT\system32\kkawezigl\csrss.ini - Deleted
C:\WINNT\system32\rhdxqvesf\csrss.ini - Deleted
C:\DOCUME~1\Lee\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Lee\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\b.bat - Deleted
C:\WINNT\m.bat - Deleted
C:\WINNT\p.bat - Deleted
C:\WINNT\r.bat - Deleted
C:\WINNT\t.bat - Deleted
C:\WINNT\l.exe - Deleted
C:\WINNT\system32\2.tmp - Deleted
C:\WINNT\system32\setup_17160.exe - Deleted
C:\WINNT\system32\setup_50306.exe - Deleted
C:\WINNT\system32\setup_72713.exe - Deleted
C:\WINNT\system32\setup_88034.exe - Deleted
C:\Documents and Settings\Lee\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk - Deleted
C:\.exe - Deleted
C:\WINNT\system32\msxml71.dll - Deleted
C:\WINNT\system32\sysrest.sys - Deleted



Folder C:\Documents and Settings\Lee\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 16:04:44
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}]
"bbmjmancapgclcglloefiohjhddonlcifibk?"=hex:6b,61,63,6c,68,68,67,70,6c,63,63,62,68,62,66,65,65,64,68,6a,61,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}]
"bbfcglbcipjmlbphkafjljhnjbjhdjpicfnm?"=hex:6b,61,70,6b,70,6a,6f,6c,6b,6b,69,6c,65,66,61,66,66,65,61,6e,6b,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 29 Oct 2005 157,696 A..H. --- "C:\WINNT\system32\qnggfz.exe"
Thu 4 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"














Finished!


and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:24 PM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll (file missing)
R3 - URLSearchHook: (no name) - {C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\Run: [Netbios Helper] C:\WINNT\System32\nbthlp.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [progmen] abrek.exe
O4 - HKLM\..\Run: [wormexe] iehelper.exe
O4 - HKLM\..\Run: [Dest068] sysconf16.exe
O4 - HKLM\..\Run: [startman] StatusCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMrhc17dj0et2g] C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
O4 - HKLM\..\RunServices: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Windows SRM32 Pass] srm32.exe
O4 - HKLM\..\RunServices: [Microsoft MCT64 Center] nmc32.exe
O4 - HKLM\..\RunServices: [FireWire Service] nvscv32.exe
O4 - HKLM\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Microsoft MCT64 Center] nmc32.exe
O4 - HKCU\..\Run: [Microsoft MicroP Protocol] wdgmr32.exe
O4 - HKCU\..\Run: [Windows SRM32 Pass] srm32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\Run: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\Run: [porka_] progmen.exe
O4 - HKCU\..\Run: [MONITER] hyandex.exe
O4 - HKCU\..\Run: [lpt] MONITER.exe
O4 - HKCU\..\Run: [teqq32] srbho.exe
O4 - HKCU\..\Run: [BoundRec] iesetupdll.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe
O4 - HKCU\..\RunServices: [Windows Logon Service] winlogon.pif
O4 - HKCU\..\RunServices: [MS Windows Security Updater] updater.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKUS\.DEFAULT\..\Run: [Micr Update] soundblaster.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft MCT64 Center] nmc32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personal Firewall Start] servic.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Logon Service] winlogon.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Login Security] winlogin.pif (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [M_S DVD DirectX Dll Drivers] msxdl.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 7833 bytes
 
Not to worry about the replies, run the programs and post when you can.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
 
The program doesn't work. I downloaded it from both links and when i try to install or open Malwarenytes' Anti-Malware they give me this error code: 718 (-2146893799,0).
 
Lets try this .

Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.







Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
Here's the combofix log:

ComboFix 08-08-24.03 - Lee 08/25/2008 19:27:00.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.127 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\interclick.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\interclick.com\ud.sol
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Common Files\uninstall information
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINNT\system32\3.tmp
C:\WINNT\system32\4.tmp
C:\WINNT\system32\5.tmp
C:\WINNT\system32\8.tmp
C:\WINNT\system32\actskn43.ocx
C:\WINNT\system32\launcher.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MAPI
-------\Legacy_RDRIV
-------\Service_MAPI


((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 21:40 . 08-08-25 18:14 454,538 ---h----- C:\WINNT\ShellIconCache
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-08-18 21:22 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxdmain]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GencTurK RootKit]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcClient]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpcmon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardClnt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S2 dxdmain;DirectX Graphics;C:\WINNT\System32\dxdmain.exe []
S2 mcsecure;msecure;C:\WINNT\mcsecure.exe []
S2 netinfo;netinfo;C:\WINNT\netinfo.exe []
S2 RpcClient;Remote Procedure Call (RPC) Client;C:\WINNT\System32\rpcclient.exe []
S2 Rpcmon;Remote Procedure Call (RPC) Monitoring;C:\WINNT\system32\ooo.exe []
S2 SCardClnt;Smart Card Client;C:\WINNT\System32\SCardClnt.exe []
S2 Zonelaps;AntiSpyUltra;C:\WINNT\vsmom.exe []
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []
S4 GencTurK RootKit;TurkSpy For RootKit;C:\system.exe []
S4 Keyboard Service;Keyboard Service System Files;C:\WINNT\System32\keyboard.exe []
S4 LSA Server;Local Security Authority Server;C:\WINNT\system32\msupdater.exe []
S4 Sound Service;Sound Sservice Driver ;C:\WINNT\System32\cfmon.exe []

NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{AE75F0AA-0C09-3646-8A7B-28B24300F4B3} - corrida.dll
URLSearchHooks-{C911510E-E118-7A41-1C46-3B7495D7F222} - xsetup.dll
HKCU-Run-Spyware Vanisher - c:\spywarevanisher-free\FreeScanner.exe
HKCU-Run-Steam - C:\Program Files\Valve\Steam\Steam.exe
HKCU-Run-Micr Update - soundblaster.exe
HKCU-Run-Microsoft MCT64 Center - nmc32.exe
HKCU-Run-Microsoft MicroP Protocol - wdgmr32.exe
HKCU-Run-Windows SRM32 Pass - srm32.exe
HKCU-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKCU-Run-Windows Logon Service - winlogon.pif
HKCU-Run-porka_ - progmen.exe
HKCU-Run-MONITER - hyandex.exe
HKCU-Run-lpt - MONITER.exe
HKCU-Run-teqq32 - srbho.exe
HKCU-Run-BoundRec - iesetupdll.exe
HKCU-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKCU-RunServices-Windows Logon Service - winlogon.pif
HKCU-RunServices-MS Windows Security Updater - updater.pif
HKCU-RunServices-Windows Update Service - update32.pif
HKLM-Run-Netbios Helper - C:\WINNT\System32\nbthlp.exe
HKLM-Run-SMrhc17dj0et2g - C:\Program Files\rhc17dj0et2g\rhc17dj0et2g.exe
HKLM-Run-Micr Update - soundblaster.exe
HKLM-Run-Microsoft MCT64 Center - nmc32.exe
HKLM-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKLM-Run-Sygate Personal Firewall Start - servic.exe
HKLM-Run-MS Windows Security Updater - updater.pif
HKLM-Run-Windows Update Service - update32.pif
HKLM-Run-progmen - abrek.exe
HKLM-Run-wormexe - iehelper.exe
HKLM-Run-Dest068 - sysconf16.exe
HKLM-Run-startman - StatusCheck.exe
HKLM-RunServices-Microsoft MicroP Protocol - wdgmr32.exe
HKLM-RunServices-Micr Update - soundblaster.exe
HKLM-RunServices-Windows SRM32 Pass - srm32.exe
HKLM-RunServices-Microsoft MCT64 Center - nmc32.exe
HKLM-RunServices-FireWire Service - nvscv32.exe
HKLM-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKLM-RunServices-Sygate Personal Firewall Start - servic.exe
HKLM-RunServices-MS Windows Security Updater - updater.pif
HKLM-RunServices-Windows Update Service - update32.pif
HKU-Default-Run-Micr Update - soundblaster.exe
HKU-Default-Run-Microsoft MCT64 Center - nmc32.exe
HKU-Default-Run-M_S DVD DirectX Dll Drivers - msxdl.exe
HKU-Default-Run-Sygate Personal Firewall Start - servic.exe
HKU-Default-Run-Windows Logon Service - winlogon.pif
HKU-Default-Run-Windows Login Security - winlogin.pif
HKU-Default-RunServices-M_S DVD DirectX Dll Drivers - msxdl.exe
HKU-Default-RunServices-Windows Logon Service - winlogon.pif
HKU-Default-RunServices-Windows Login Security - winlogin.pif
HKU-Default-RunServices-Windows Update Service - update32.pif


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 19:34:34
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Lee\LOCALS~1\Temp\fb1.tmp 16384 bytes
C:\DOCUME~1\Lee\LOCALS~1\Temp\~DF4575.tmp 512 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [156]
??\C:\WINNT\system32\csrss.exe [180]
??\C:\WINNT\system32\winlogon.exe [200]
C:\WINNT\system32\services.exe [228]
C:\WINNT\system32\lsass.exe [240]
C:\WINNT\system32\svchost.exe [404]
C:\WINNT\system32\spoolsv.exe [432]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [460]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [500]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [520]
C:\WINNT\System32\svchost.exe [592]
C:\WINNT\system32\stisvc.exe [624]
C:\WINNT\System32\WBEM\WinMgmt.exe [652]
C:\WINNT\system32\cmd.exe [816]
C:\WINNT\loadqm.exe [1020]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [1060]
C:\Program Files\QuickTime\qttask.exe [1068]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1072]
C:\WINNT\Explorer.exe [936]
C:\ComboFix\catchme.cfexe [980]
.
**************************************************************************
.
Completion time: 2008-08-25 19:39:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 02:39:01

Pre-Run: 3,734,953,984 bytes free
Post-Run: 3,713,572,864 bytes free

244

and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:07 PM, on 8/25/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 4890 bytes
 
Hello,

You need to enable windows to show all files and folders, instructions Here


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O18 - Filter: text/plain - (no CLSID) - (no file)

O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)



Delete the files in RED, let me know which ones would not delete

C:\WINNT\System32\dxdmain.exe
C:\WINNT\mcsecure.exe
C:\WINNT\netinfo.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe



Please download SuperAntiSpyware Free
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
 
Hi, so so far I have done the HJT system scan and fixed what you asked me to fix. But when I went to delete the files in red, I couldn't find any of the files. Do I skip that and go straight to using Super Antispyware?
 
Yes go ahead with SAS and post the log with a new HJT and lets see where we are at, we will look for those files in a bit
 
Here's the super antispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/26/2008 at 05:07 PM

Application Version : 4.20.1046

Core Rules Database Version : 3548
Trace Rules Database Version: 1536

Scan type : Complete Scan
Total Scan Time : 01:11:05

Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 3671
Registry threats detected : 0
File items scanned : 9923
File threats detected : 150

Adware.Tracking Cookie
C:\Documents and Settings\Lee\Cookies\lee@yadro[2].txt
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.viacom.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
media.mtvnservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adecn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adlegend.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.mediamayhemcorp.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.chitika.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.cnetaustralia.122.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.estat.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.myroitracking.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.nhl.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.partypoker.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.perf.overture.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.revenue.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving.adsrevenue.clicksor.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.valueclick.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.www.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.www.incentaclick.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.yamaha.122.2o7.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
cms.trafficmp.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
counter.search.bg [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
futanariporno.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
rotator.adjuggler.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.cpmstar.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.usenext.de [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.usenext.de [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]
www.xxx-animatrix.com [ C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\sxq5zxnj.default\cookies.txt ]

Rogue.AntiVirusProtection
C:\WINNT\SYSTEM32\FK.DLL

and here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:54 PM, on 8/26/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 4887 bytes
 
Hi,

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code: 
File::
C:\WINNT\SYSTEM32\FK.DLL
C:\WINNT\System32\dxdmain.exe
C:\WINNT\mcsecure.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxdmain]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GencTurK RootKit]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcClient]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Rpcmon]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardClnt]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:11 PM, on 8/26/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe (file missing)
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINNT\mcsecure.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINNT\System32\rpcclient.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\ooo.exe (file missing)
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: AntiSpyUltra (Zonelaps) - Unknown owner - C:\WINNT\vsmom.exe (file missing)

--
End of file - 4887 bytes

and here's the ComboFix log:

ComboFix 08-08-26.02 - Lee 08/26/2008 19:37:57.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.113 [GMT -7:00]
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lee\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\mcsecure.exe
C:\WINNT\System32\dxdmain.exe
C:\WINNT\SYSTEM32\FK.DLL
C:\WINNT\system32\ooo.exe
C:\WINNT\System32\rpcclient.exe
C:\WINNT\System32\SCardClnt.exe
C:\WINNT\vsmom.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\bin.clearspring.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\#SharedObjects\PZ47KJSE\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Lee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\SUPERAntiSpyware.com
2008-08-26 15:47 . 08-08-26 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-25 15:48 . 08-08-25 15:48 <DIR> d-------- C:\WINNT\ERUNT
2008-08-25 15:48 . 93-05-22 15:01 438 --a------ C:\WINNT\system32\AUTOEXEC.NT
2008-08-25 15:41 . 08-08-25 16:11 <DIR> d-------- C:\SDFix
2008-08-25 11:08 . 08-08-25 11:23 <DIR> d-------- C:\fixwareout
2008-08-22 21:40 . 08-08-26 00:15 276,982 ---h----- C:\WINNT\ShellIconCache
2008-08-22 13:17 . 08-08-22 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 22:15 . 08-08-20 10:36 <DIR> d-------- C:\Documents and Settings\Lee\Application Data\Antispyware
2008-08-19 20:19 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 20:19 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-19 18:57 . 08-07-10 15:12 600 --a------ C:\WINNT\win.tmp
2008-08-19 18:57 . 05-01-03 10:30 231 --a------ C:\WINNT\system.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 22:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 04:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-21 04:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 17:36 --------- d-----w C:\Documents and Settings\Lee\Application Data\SpywareBot
2008-08-20 00:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\AVG7
2008-08-18 22:18 --------- d-----w C:\Documents and Settings\Lee\Application Data\uTorrent
2008-08-18 21:22 --------- d-----w C:\Documents and Settings\Lee\Application Data\AVG7
2008-07-04 20:24 --------- d-----w C:\Program Files\Starcraft
2005-01-04 01:49 271 -c-h--w C:\Program Files\desktop.ini
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2008-03-21 20:29 479,232 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-03-21 20:29 548,864 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-03-21 20:29 626,688 -c--a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( snapshot@Mon 2008-08-25_19.37.42.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 22:47:16 18,944 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-26 22:47:16 65,024 ----a-r C:\WINNT\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [05-11-15 01:51 755472]
"EPSON Stylus CX4200 Series"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [05-03-07 20:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-29 02:12 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-27 20:15 580096]
"Synchronization Manager"="mobsync.exe" [99-12-07 05:00 111376 C:\WINNT\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 18:23 7536 C:\WINNT\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [07-09-04 16:40 6856704]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-05-21 20:06 219136]

C:\Documents and Settings\Lee\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-01-26 10:26:50 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Defragmentation Manager]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\LSA Server]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sound Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ulead Systems]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\upnpdrv]
@="Service"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [08-05-21 20:06 ]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINNT\System32\drivers\ctlsb16.sys [99-10-23 14:10 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\System32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S2 dxdmain;DirectX Graphics;C:\WINNT\System32\dxdmain.exe []
S3 GencTurK RootKit Driver;GencTurK RootKit Driver;C:\system.sys []
S3 msvnc;msvnc;C:\WINNT\system32\msvnc.sys []
S3 Winacpci;Winacpci;C:\WINNT\System32\DRIVERS\winacpci.sys [99-09-25 00:55 ]
S4 Defragmentation Manager;Managing FAT and NTFS partitions;C:\WINNT\System32\dfrgfat16.exe []

NETSVCS REQUIRES REPAIRS - current entries shown
EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
WmdmPmSN
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 19:47:51
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [152]
??\C:\WINNT\system32\csrss.exe [180]
??\C:\WINNT\system32\winlogon.exe [176]
C:\WINNT\system32\services.exe [228]
C:\WINNT\system32\lsass.exe [240]
C:\WINNT\system32\svchost.exe [408]
C:\WINNT\system32\spoolsv.exe [432]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [488]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [516]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [544]
C:\WINNT\System32\svchost.exe [568]
C:\WINNT\system32\stisvc.exe [600]
C:\WINNT\System32\WBEM\WinMgmt.exe [736]
C:\WINNT\system32\cmd.exe [868]
C:\WINNT\loadqm.exe [1056]
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [988]
C:\Program Files\QuickTime\qttask.exe [1008]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [976]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [968]
C:\WINNT\Explorer.exe [1172]
C:\ComboFix\catchme.cfexe [956]
.
**************************************************************************
.
Completion time: 2008-08-26 19:54:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 02:53:42
ComboFix2.txt 2008-08-26 02:39:11

Pre-Run: 3,655,127,040 bytes free
Post-Run: 3,651,584,000 bytes free

173
 
We have some stubborn entries that just don't want to go.

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
 
Here's the first gmer report:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-27 11:00:46
Windows 5.0.2195


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBFC94C90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBFC91B70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xBFCAA944]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBFCA9760]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBFCAC610]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBFC92180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBFCAB330]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xBFCAB100]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBFCA9080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBFCAB4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBFC91FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBFCA8E80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBFCA8C40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBFCAB7C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBFC94960]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xBFCABA50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBFC94E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBFC922F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xBFCAAEA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xBFCA9BB0]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BFC99590] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BFC99700] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BFC99590] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BFC99700] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BFC99590] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BFC99C30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BFC99AD0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\\ProgID@ 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E37DD93-98C7-1D8F-31A5-2F8600B5CD22}@bbmjmancapgclcglloefiohjhddonlcifibk 0x6B 0x61 0x63 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8DE961C-1C71-C374-682D-0E18CD5C58BF}@bbfcglbcipjmlbphkafjljhnjbjhdjpicfnm 0x6B 0x61 0x70 0x6B ...

---- EOF - GMER 1.0.14 ----

and here's the autoscan results:

GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-08-27 11:02:02
Windows 5.0.2195


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
dxdmain@ = C:\WINNT\System32\dxdmain.exe /*file not found*/
mcsecure@ = "C:\WINNT\mcsecure.exe" /*file not found*/
RpcClient@ = C:\WINNT\System32\rpcclient.exe /*file not found*/
Rpcmon@ = C:\WINNT\system32\ooo.exe /*file not found*/
SCardClnt@ = C:\WINNT\System32\SCardClnt.exe /*file not found*/
StiSvc@ = %systemroot%\system32\stisvc.exe
vsmon@ = C:\WINNT\system32\ZoneLabs\vsmon.exe -service
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
Zonelaps@ = "C:\WINNT\vsmom.exe" /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@LoadQMloadqm.exe = loadqm.exe
@Zone Labs ClientC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
@EPSON Stylus CX4200 SeriesC:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200" = C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{4EFE464B-3D0B-4800-A5DE-2321283A3256} /*QCD IconHandler*/C:\Program Files\Quintessential Player\QCDIcons.dll = C:\Program Files\Quintessential Player\QCDIcons.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Pagec:\winnt\system32\blank.htm = c:\winnt\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Local PageC:\WINNT\SYSTEM32\blank.htm = C:\WINNT\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
ms-its51@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Lee\Start Menu\Programs\Startup = PowerReg Scheduler V3.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup = Microsoft Office.lnk

---- EOF - GMER 1.0.14 ----
 
Status
Not open for further replies.
Back
Top